Manage Policy Groups
This guide walks you through creating a Policy Group, adding policies to define tool access rules, attaching the group to an MCP Gateway, and deleting groups when no longer needed.
Prerequisites
A GreenNode account with role Root or Admin (Member and Viewer have read-only access)
At least 1 MCP Gateway created to attach the Policy Group to
Create a Policy Group
Step 1: Open the Policy Groups page
Sign in to AI Platform Console
Select AgentBase in the left menu
Select MCP Governance β Policy Groups
Click Create Policy Group
Step 2: Fill in basic information (Step 1)
Enter a Name following these rules:
Must start with a letter (aβz, AβZ)
Valid characters: letters, digits, underscore
_Minimum 5, maximum 50 characters
Unique within the organization
Example nameValid?PolicyGroup_Prod01β
sales_agent_policyβ
myPolicyβ
123invalidβ β starts with a digit
name with spaceβ β contains a space
abβ β fewer than 5 characters
Enter a Description (optional) β up to 4096 characters
Click Create Policy Group β the Policy Builder opens
Add Policies (Policy Builder)
After creating the group, the Policy Builder opens (Step 2). You can add up to 20 policies per group.
Step 3: Add a new policy
Click + Add Policy
Enter a Policy name β up to 64 characters, unique within the group (e.g.,
allow-sales-call-tool)Enter a Policy description (optional)
Step 4: Choose an Effect
ALLOW
Permit the agent to execute the action when the policy matches
DENY
Block the agent from executing the action when the policy matches
Step 5: Choose a Principal
All principals (everyone) β applies to all agents calling through the gateway
Specific principal β applies only to a specific user or service account
When choosing Specific:
FieldValueNotesType
iamorjwtiam= IAM identity;jwt= JWT TokenIdentifier
optional
Leave empty β matches all users of that type; enter an ID β matches exactly 1 user
Examples:
Type
jwt, identifiersales-agent-serviceβ serialized as"jwt:sales-agent-service"Type
iam, no identifier β serialized as"iam"(matches all IAM users)Type
jwt, identifier*β"jwt:*"(valid wildcard β matches all JWT users)
Step 6: Choose a Gateway Scope
All gateways (*) β policy enforces on every gateway attached to this group
Specific gateway(s) β select a subset from the dropdown (only gateways already attached to this group)
Step 7: Choose an Action
All actions (*) β applies to all
tools/callrequestsSpecific actions β enter exact patterns in the format
targetName__toolNameExamples of valid action patterns:
Only * (all) or exact targetName__toolName are supported. Partial wildcards like paymentTarget__* or *__chargeCard are not valid.
Step 8: Add Conditions (optional)
Enable the Add conditions toggle
Click + Add Condition
Select an Operator, enter a Key and Value
Repeat to add more conditions β all must be true (AND logic)
Policy Examples
Example 1 β ALLOW all agents to call any tool
Use as a baseline "permit all", combined with more specific DENY policies layered on top.
Example 2 β ALLOW only a sales agent to call payment tools
Serialized principal: "jwt:sales-agent-service"
Only agent sales-agent-service with role sales can call chargeCard and getBalance.
Example 3 β DENY all requests outside business hours (before 8 AM)
Create a second policy to also block after 5 PM:
Because multiple conditions combine with AND, split into two separate policies β one for before 8 AM and one for after 5 PM.
Example 4 β ALLOW only internal network traffic
Pair with a DENY-all policy at the bottom to block all external requests:
Because evaluation stops at the first match, allow-internal-only (placed first) permits internal traffic; deny-all-fallback (placed last) blocks everything else.
Step 9: Save
Click Save Changes β the group transitions to Active status and the Policy Group Detail page opens.
Attach a Policy Group to a Gateway
There are 3 ways to attach a group to a gateway:
Option 1 β From Policy Group Detail
Open Policy Group Detail (click the group name from the list)
Select the Associated Gateways tab
Click Associate Gateway
Select a gateway from the dropdown
Click Confirm
Option 2 β From the Policy Groups list
Tick the checkbox on the group row
Click Associate Gateway (green outline button on the toolbar)
Select a gateway and click Confirm
Option 3 β From MCP Gateway Detail
See Manage MCP Gateway.
Each MCP Gateway can only have one Policy Group at a time. If the gateway already has a group, attaching a new one immediately replaces the old group β policies from the old group stop being enforced.
Detach a Gateway from a Policy Group
Open Policy Group Detail β Associated Gateways tab
Locate the gateway β click Detach
Confirm in the dialog
After detaching, the gateway has no policy control β all tools/call through that gateway will be denied until a new Policy Group is attached.
Delete a Policy Group
Deleting a Policy Group is irreversible. If the group is attached to any gateways, deletion will automatically detach all of them β those gateways lose policy control immediately.
Go to Policy Groups
Tick the checkbox on the group row
Click Delete (red button) β review the warning and confirm
Result
After completing these steps, the Policy Group is in Active status and attached to the gateway. Every tools/call through that gateway is evaluated against the group's policies in order β first-match wins, DENY by default if no rule matches.
Understand the evaluation flow in detail
Configure an MCP Gateway
Last updated